From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,e9d84ce06116c5ae
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2003-09-26 10:20:02 PST
Path: archiver1.google.com!postnews1.google.com!not-for-mail
From: aek@vib.usr.pu.ru (Alexander Kopilovitch)
Newsgroups: comp.lang.ada
Subject: Re: Current "Swen" worm attack - the best address
Date: 26 Sep 2003 10:20:01 -0700
Organization: http://groups.google.com/
Message-ID: <e2e5731a.0309260920.451e1323@posting.google.com>
References: <e2e5731a.0309241431.10694993@posting.google.com>
 <slrnbn598s.gt.randhol+abuse@kiuk0152.chembio.ntnu.no>
 <e2e5731a.0309250843.7f8efab6@posting.google.com>
 <slrnbn6h28.d5.randhol+abuse@kiuk0152.chembio.ntnu.no>
 <e2e5731a.0309251916.181d1016@posting.google.com>
 <slrnbn8014.m8.randhol+abuse@kiuk0152.chembio.ntnu.no>
NNTP-Posting-Host: 213.33.246.182
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1064596802 7617 127.0.0.1 (26 Sep 2003 17:20:02
 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: 26 Sep 2003 17:20:02 GMT
Xref: archiver1.google.com comp.lang.ada:42998
Date: 2003-09-26T17:20:02+00:00
List-Id: <comp.lang.ada>

Preben Randhol wrote:

> > I still think that
> > it is unlikely. My reason is that, although such a forgery is possible
> > it requires extra effort (for which I don't see valid purpose), and
> > adds unnecessary danger for the worm's creator(s). And even stronger
> > reason (for me) is that it seems that in all messages I received
> > within that stream (except 1), addresses at that place were quite
> > good-looking, and single exception was simply
> > rmailroutine@microsoft.com .
>
> Huh? It is common that viruses take the e-mail addresses and forge mails
> in these names as they get sent.

Forging "From:" field is certainly common, but forging headers require more
effort. Also, it is not a simple thing to get over 1000 different good-looking
addresses this way.

> The source is the machine the virus was
> installed on so there isn't much danger for the worm creators from that.

I meant the danger that comes when one annoys expert postmasters community
too strongly. -;) .

> cesa.air.defense.gouv.fr ? There is no site with that name.

I know that, I tried ping and tracert yesterday. Nevertheless, the headers
contained that address, and I doubt that virus invented it from scratch.
I also tried tracert for addresses in that place in several other messages
from that virus stream, and they responded.



Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia